To 2.5.0 or not ? that is the question :)

SeaMonkey

To anyone having OpenVPN issues, double check your cryptographic parameters in client and server. I had to add ncp-disable to my PIA connections to get them working again. Also, the update broke my site-to-site connection and I discovered that the IPv4 tunnel network on the client side was blank and was somehow previously working with it blank and with a certificate that didn't exist on the server.

stephenw10

@thesurf There is no relayd in 2.5 and it's unlikely to ever come back. It's in the release notes:
https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html#security-errata

You should use HAProxy instead if you need that functionality.

Steve

johnpoz

@seamonkey said in To 2.5.0 or not ? that is the question :):

discovered that the IPv4 tunnel network on the client side was blank and was somehow previously working with it blank and with a certificate that didn't exist on the server.

Something like this could be issues for many users problems. Something that was allowing something to work that was in fact a bug or problem.

As another example - not actually related to 2.5.. But is a sim sort of example. I had freerad running and auth phones to my wireless via eap-tls. There was an update to the freerad package that broke my setup. Because I didn't actually have any uses setup, but it was authing anyway just on cert and not actually checking the cn on the cert matching to username.. When the package was updated to fix that, it broke my connection.

So its quite possible some changes in stuff could break specific setups that were working - but really shouldn't have been..

stephenw10

There was a whole bunch pointless and abusive arguing in this thread that I have removed.

Please keep it civil.

Everyone here is working to resolve whatever issues there may be in 2.5. Actual reports with data to allow us to replicate are what will achieve that.

Thanks,
Steve

SeaMonkey

@johnpoz In other words, the pfSense update doesn't suck. pfSense just got better at letting you know when your configuration sucks.

johnpoz

^ yeah that could be the case in some.. Not saying all, but sure some.. This is why details are so important when reporting something doesn't work. When working through my problem - the thread around if you want to look... It took a bit of time to track it down. Viktor was most helpful in finding the issue..

And after finding it - it was a d'oh moment for sure. Was like how and the hell was it working for so long before ;)

A Former User

Currently the GUI renders a invalid frr config when bgp as-path ACLs are in use. This ACLs will be written under the "router bgp <asn>" section what causes FRR and bgpd daemon failing to start. Switching to raw config mode and putting all bgp as-path access-list outsite the router bgp section is the only way to work this around. Prefix-lists and route-maps are not affected by this and will be written correctly to the config.

Another difference is that bgpd starting with Version 7.5 does default filtering for route announcements . Without a outbound route-map in the neighbor statement, no routes will be announced at all. An empty "route-map permit <seq>" does the the job.

From the release notes of frr7.5

I suggest to put this kind of Information into the Release Notes of pfsense 2.5.0 as well, so customer can prepare configuration before updating.

The next difference compared to 2.4.5 is, that now IGP route synchronization is in effect. I could not disable it by using "no synchronization" in der bgpd config. So when you configure prefixes by the network statement, that are not in the routing table, it's necessary to configure a static route to Null for that networks on the device. This is pretty common on many network devices, but not was not necessary in 2.4.5.

One of my peers teared down after some time and wasn't able to get into Establish state again at all. Had to reboot to resolve this. Logs said something like "Couldn't write to socket: Permission denied," (Can't recall the exact message and haven't saved the Logs before rollback). The other two BGP Session stayed up for about two hours.

Thats what I figured out for bgp on 2.5.0, hadn't have the chance to look into ospf yet.

It's not directly releated to frr but I also noticed that IPsec VTIs stays at MTU of 1400, regardless whats configured on the Interface.

route -n get <ip>
   route to: <ip>
destination: <ip>
        fib: 0
  interface: ipsec1000
      flags: <UP,HOST,DONE,PINNED>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1400         1         0

My favorite Bug affects 2.4.5. Since I want to stay on 2.4.5 for now, I decided to change the Branch back to Previous stable version. Doing so uninstalls frr completely - no questions asked.

dma_pf

Upgraded to 2.5.0 about 10 hours ago from the GUI. The update went smoothly and took a total of less than 15 minutes. I was able to login to the GUI after the upgrade was completed. Everything has been running well and has been stable. I had 2 issues that came up post upgrade.

Issue 1: I had 3 openvpn connections that were down. Before the upgrade I had read some posts where others had had the same issue. The fix was to uncheck the "Data Encryption Negotiation" setting in the openvpn client setups. As soon as the setting was unchecked and saved the connections were immediately reinstated.

Issue 2: Once pfBlockerNG-devel was reinstalled the DNSBL was out of sync. It was easily resolved with a Forced/Reload in the Update tab in pfBlockerNG.

My setup includes the following: 1 WAN, 2 regular interfaces, 4 vlans, multiple DHCP Servers, DNS Resolver, Dynamic DNS, 3 openvpn clients, 2 openvpn servers.

yon 0

@artes said in To 2.5.0 or not ? that is the question :):

/usr/local/etc/rc.d/frr restart all
Checking intergrated config...
Checking vtysh.conf
line 37: % Unknown command[4]:  address-family ipv4 unicast
line 38: % Unknown command[4]:   network <ip>.64.0/20
line 39: % Unknown command[4]:   neighbor <ip>.16.1 activate
line 40: % Unknown command[4]:   neighbor <ip>.16.17 activate
line 41: % Unknown command[4]:   neighbor <ip>.16.29 activate
line 42: % Unknown command[4]:   neighbor <ip>.16.1 send-community both
line 43: % Unknown command[4]:   neighbor <ip>.16.1 next-hop-self
line 44: % Unknown command[4]:   neighbor <ip>.16.1 soft-reconfiguration inbound
line 45: % Unknown command[4]:   neighbor <ip>.16.1 route-map Site_Kref_Primary_RMAP in
line 46: % Unknown command[4]:   neighbor <ip>.16.1 addpath-tx-bestpath-per-AS
line 47: % Unknown command[4]:   neighbor <ip>.16.17 send-community both
line 48: % Unknown command[4]:   neighbor <ip>.16.17 next-hop-self
line 49: % Unknown command[4]:   neighbor <ip>.16.17 route-map HDC-LOCAL-PREF80 in
line 50: % Unknown command[4]:   neighbor <ip>.16.29 send-community both
line 51: % Unknown command[4]:   neighbor <ip>.16.29 next-hop-self
line 52: % Unknown command[4]:   neighbor <ip>.16.29 route-map HDC-LOCAL-PREF90 in
line 53: % Unknown command[4]:  exit-address-family
FAILED

If somebody is using FRR for BGP be carefull - Zebra and BGPd won't come up and your network is fried if you rely on it. Thanks to virtualization and snapshot it's possible to minimize damage.

yes, i am using frr and network down.

chudak

@jwj said in To 2.5.0 or not ? that is the question :):

https://nyifiles.netgate.com/mirror/downloads

Do you have another pointer ?
This one points to 2.5.0

A Former User

@chudak No. The older ones have been removed from the mirrors.

yon 0

i have some old version, maybe i have to change to old version for test.

stephenw10

Open a ticket and we can get you a link to 2.4.5p1 if you need it for now: https://go.netgate.com/

Steve

bingo600

@jwj said in To 2.5.0 or not ? that is the question :):

@chudak No. The older ones have been removed from the mirrors.

I learned the hard way ....
Always download & save a copy of the install packages used, along with the SHA256-SUM.
That goes for "even if you do just upgrade" , always get an install image of the version you have upgraded to.

I upgraded from 2.4.4-p3 to 2.4.5-p1 , and luckily remembered to get a copy of the 2.4.5-p1 install image , even though i never installed from that image.

Is handy to have right now , if i need to fallbck.

/Bingo

chudak

@bingo600 said in To 2.5.0 or not ? that is the question :):

@jwj said in To 2.5.0 or not ? that is the question :):

@chudak No. The older ones have been removed from the mirrors.

I learned the hard way ....
Always download & save a copy of the install packages used, along with the SHA256-SUM.
That goes for "even if you do just upgrade" , always get an install image of the version you have upgraded to.

I upgraded from 2.4.4-p3 to 2.4.5-p1 , and luckily remembered to get a copy of the 2.4.5-p1 install image , even though i never installed from that image.

Is handy to have right now , if i need to fallbck.

/Bingo

This is a good practice.
More interesting is why Netgate won't allow access to older versions ?!

stephenw10

Open a ticket and we can get it to you if you need it.

chudak

This post is deleted!

buggz

Downloaded old and new ISO image files.
Backed up configuration to .xml file.

Performed online update from 2.4.5-p1 to 2.5
Rebooted, everything seems to work, EXCEPT...

Traffic Graphs for LAN - no data is shown, but traffic is working.
Interface/LAN (igb0) tab, save operation reports:
"The Router Advertisements Server is active on this interface and it can be used only with a static IPv6 configuration.
Please disable the Router Advertisements Server service on this interface first, then change the interface configuration."

I don't have IPV6 enabled on WAN, nor LAN, never had.

IS there any where else this is configured?

viktor_g

@buggz said in To 2.5.0 or not ? that is the question :):

Downloaded old and new ISO image files.
Backed up configuration to .xml file.

Performed online update from 2.4.5-p1 to 2.5
Rebooted, everything seems to work, EXCEPT...

Traffic Graphs for LAN - no data is shown, but traffic is working.
Interface/LAN (igb0) tab, save operation reports:
"The Router Advertisements Server is active on this interface and it can be used only with a static IPv6 configuration.
Please disable the Router Advertisements Server service on this interface first, then change the interface configuration."

I don't have IPV6 enabled on WAN, nor LAN, never had.

IS there any where else this is configured?

It was configured before
You can temporary set the LAN IPv6 address to static mode and disable the Router Advertisements Server on the Services / DHCPv6 & RA page, then switch the LAN IP back.
see https://redmine.pfsense.org/issues/11367

buggz

@viktor_g
Perfect!
Thank you!